GoKawiilAttackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways.
Formerly known as MobileIron Sentry, the Ivanti Sentry security gateway appliance secures traffic between back-end corporate systems and remote mobile devices.
Tracked as CVE-2026-10520, the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
While the company said at the time that it had no evidence of in-the-wild exploitation, the Shadowserver nonprofit security organization reported the next day that attackers had already backdoored most of the Sentry gateways exposed online.
The Internet security watchdog also added that, while its scans detect only a very limited number of exposed Sentry instances, there are likely more due to its search engine being blocklisted.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today. We see 19 vulnerable instances in our own scans, with at least 2 backdoored (thanks to Saudi NCA for the tip!). However, all remaining likely compromised too," Shadowserver warned.
"While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised."
Ivanti Sentry admin portals exposed online (Shadowserver)
Ivanti has yet to update the security advisory issued on Tuesday, which still states that "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure."
An Ivanti spokesperson was not immediately available for comment when BleepingComputer reached out today for further details on these ongoing attacks.
... continue reading